Transcription

2 Today, small- and mid-sized businesses have an increasingly mobile workforce. Faster broadband service, expanded wireless access, and a proliferation of Internet-enabled devices has boosted the productivity of these remote employees. More and more business owners and employees demand the flexibility to access their data while physically not at work. To meet this demand, a growing number of small- and mid-sized businesses provide remote access to employees and managers. However, for the SMB market, many remote access solutions are cost-prohibitive and too complicated to setup. In addition, limited resources and budgets make it difficult for many small and mid-sized businesses to: Provide secure remote access to multiple users. Enable employees to access information using remote laptops, PCs, kiosks, or PDAs. Provide an easy way to deliver and manage remote access for mobile employees. Deploy a remote access solution that is cost-effective and easy to troubleshoot, maintain, and support. SSL VPN The Right Sized Solution for SMB Due to their flexibility, security, and ease of deployment, SSL VPNs are quickly becoming the preferred solution to meet the remote access needs of small- and mid-sized businesses. SSL VPNs is built on SSL, or Secure Socket Layer, a protocol originally developed by Netscape Communications in the mid-90s. As the standard for secure electronic commerce (e-commerce) transactions on the Internet, SSL has undergone years of public scrutiny. Supported by all standard browsers, including Microsoft Internet Explorer, Apple Safari, and Mozilla Fire Fox, SSL securely transfers information between a web browser and an electronic commerce on the web. Secure Sockets Layer is often represented as the padlock on the bottom right corner of the window when a browser is connected to a secure website. See diagram 1. A secure website is typically identified as https, where the s in https refers to SSL. Diagram 1 1 SSL VPNs combine the security and confidentiality provided by SSL and the mobility of a Virtual Private Network. Together, they enable remote users to connect to their office networks using standard web browsers.

3 Better from the Ground Up SSL VPNs are typically compared to IPSEC VPNs. However, there are significant differences between the two access methods. IPSEC VPNs were designed to provide site-to-site access (branch-to-branch) access. By comparison, SSL VPNs were designed to provide remote access for a mobile user to a corporate resource. When compared to IPSec VPNs, SSL VPNs offer: Platform Independence Because they connect to the network through a web browser, SSL VPNs enable access from anywhere, independent of the platform used. Browser-based access Unlike IPSEC VPNs that require a client to provide remote access, SSL VPNs provide clientless remote access to corporate resources. Granular access controls SSL VPNs provide granular application access to corporate resources while IPSEC VPNs only provide network access. Seamless integration SSL VPNs integrate seamlessly with the existing firewall infrastructure. The protocol is application-based and does not interfere with basic firewall functions operating at the IP Layer. The table below summarizes the key differences between IPSEC VPNs and SSL VPNs and explains when each solution is most appropriate. 2 Description IPSEC VPN SSL VPN Security and OSI Model Method of Access Suite of protocols provides security at the network or IP layer Predicated on trusted relationship between networks or between users and the network Defines how to provide tunneling, encryption, and authentication Allows organizations to select and specify the security policy appropriate for their network Uses tunneling and encryption to provide secure data transfer between one private network and another or between a private network and a user Operates at the application layer Uses any standard Internet browser Provides finely grained access control to the application and associated resources Entire connection is encrypted using Uses proxies, tunneling, encryption, and access control to provide secure remote access between users and a private network Does not provide access between one private network and another Client Client required Clientless access to corporate resources as part of any standard browser Connection Better suited for network-based connection model Better suited for application-based remote access Firewalls and Network Address Translation (NAT) Granular Access Return on Investment Support Platform-Independent Access Encryption Protocol Support Poor integration with existing firewalls using network address translation Limited. Only operates at the network layer (Layer 3) Lower. Additional cost of client increases total cost of ownership Best suited for site-to-site access such as between branch offices Requires installed client on device to connect to the corporate network. Limits access to company laptops and PCs. No access from PDAs, kiosks, and non-company laptops and PCs Tunneling: Authentication Header (AH) and Encapsulating Security Payload (ESP) Encryption: DES, 3DES, 128/192/256 bit AES Operates at application layer for seamless integration with existing firewall infrastructure High-level granular access control for applications. Operates at the application layer of the OSI model Higher. No client to deploy and manage, reducing costs for administration and support Best suited for user-to-site remote access Provides access from a wide variety of devices. Can access applications from any location or device with Internet access, including PDAs, kiosks, and non-company laptops and PCs Encryption: DES, 3DES, AES 256bit Authentication: Local User Database, Microsoft Active Directory, LDAP, NT Domain, and RADIUS.

4 NETGEAR A Leader in SSL VPN Solutions As the leader in the SMB market, NETGEAR makes an ideal vendor for SSL VPN solutions. The NETGEAR ProSafe SSL VPN Concentrator SSL312 provides small- and mid-sized organizations with an easy, secure, and cost-effective solution for remote access for up to 100 employees. Using the Secure Sockets Layer (SSL) protocol supported natively on all standard web browsers, the SSL312 seamlessly integrates with your existing firewall infrastructure to offer industry-standard access and security. The intuitive web interface, customizable portal, and a plug-and-play installation make the SSL312 easy and cost-effective to deploy. NETGEAR ProSafe SSL312 supports up to 25 users simultaneously. Remote employees can safely and securely login from network environments and remote computers that are not controlled or managed by your corporate IT department. The SSL312 s advanced features include: Security The SSL312 uses Secure Sockets Layer version 3.0, TLS 1.0 to ensure security and complete privacy. By leveraging industry-standard security protocols such as DES, 3DES, AES-256, the SSL312 supports MD5 and SHA-1 to ensure data confidentiality over the Internet. The SSL312 can also clear the cache after a remote user logs out to protect the data and privacy of the user. Customizable Portals Administrators can configure and customize user portals to enforce role-based access and ease the end user experience when connected to the corporate network. Granular policy configuration tools give administrator complete control over individual user access to specific network resources. Cost-Effective The SSL312 s support for web-based access eliminates the high cost of installing, configuring, and maintaining client software on each PC. Studies have shown that an SSL-based solution can save businesses $100 to $300 per year per user in client costs. Easy-to-Manage SSL is available wherever there is a standard Web browser, including kiosks and retail business centers, so users don t need a company laptop to access company resources. Administrators have access to and full remote control of employees desktops without client software installation. 3

5 Deployment Scenario The SSL312 can be deployed on a network in a number of ways. The most popular approach is to install the SSL312 on the network behind a firewall, as shown in the diagram 2. Web Database File Server Internal Network Limited access to corporate network Full access to corporate network ProSafe SSL VPN Concentrator SSL312 ProSafe VPN Firewall Broadband Modem INTERNET via PDA from partner site via Kiosk or laptop from your home at a coffee shop or hotspot User s allowed restricted access to the corporate network User s allowed restricted access to the corporate network Diagram 2 A firewall is highly recommended for small and mid-sized companies. However SSL312 is not a firewall and traditionally sits behind one. The SSL312 is responsible for terminating all SSL VPN connections. SSL312 verfies user credentials when remote users login with their user name and password and provide access to corporate resources based upon their user policy. When the SSL312 is deployed behind a firewall, the firewall must be configured to send all inbound SSL connections to the SSL VPN concentrator. Diagram 3 shows the administration interface for the SSL312. 4

6 To fully configure the NETGEAR ProSafe SSL VPN Concentrator SSL312, please refer to the Installation and User Guide available at Diagram 3 After the successful installation of the SSL312, remote users can access corporate resources by entering the IP address or DNS name of the SSL VPN Concentrator in the navigation bar of a supported browser, of the supported browser. SSL312 supports Microsoft Internet Explorer and Apple Safari as the client browsers for access. Once a remote user successfully logs into the SSL VPN box, he/she will see the following screen below. 5 Diagram 4

7 With the SSL312, administrators have the flexibility to provide multiple remote access options to their remote users. These access options include: VPN Tunnel: Using a small (<64K) Active X control downloaded during the first connection to the SSL VPN Concentrator, a VPN tunnel can provide full IPSEC-like connectivity. The Active X control creates a PPP adapter upon installation to deliver full IPSEC-like connectivity to corporate resources. Port Forwarding: Port forwarding provides access to mission-critical applications, such as and mapped network drives, as if they were located on the corporate network. However, port forwarding differs from a VPN tunnel in several ways. o Port forwarding only supports TCP data, not UDP or other IP protocols. o Port forwarding detects and reroutes individual data streams over the port forwarding connection instead through a full tunnel to the corporate network. As a result, port forwarding uses a lighter client than the VPN tunnel and installs more quickly. o Port forwarding offers more fine-grained management than VPN tunnel. Administrators can define individual applications and resources available to remote users. With VPN tunnel, administrators must create access policies to block undesirable traffic at the SSL VPN gateway rather than at the client level. o Port forwarding does not require administrative privileges on the client PC to install the VPN Tunnel ActiveX file. Utilities: SSL312 supports utilities such as ssh, telnet, and ftp utilities to enable administrators and power users to manage servers and desktops on the network when working remotely. : Remote access allows access to a remote desktop, desktop application, or a home directory on a central server using either Microsoft Terminal Services or VNC. Both Microsoft Terminal Services and VNC support the unique ability to launch individual applications running on a remote desktop or server. Conclusions With its ease of use, simple installation, cost-effective maintenance, and secure access, the NETGEAR SSL312 is an excellent solution for small- to medium-size businesses. It provides all the access most remote users need without the burdensome overhead and expense of enterprise-focused IPSEC VPN solutions. And with NETGEAR s SMB market expertise, the SSL VPN ensures this growing technology remains a perfect fit for growing companies NETGEAR, Inc., NETGEAR, the NETGEAR logo, Connect with Innovation, Everybody s connecting, the Gear Guy, IntelliFi, ProSafe, RangeMax, and Smart Wizard are trademarks or registered trademarks of NETGEAR, Inc., in the United States and/or other countries. Microsoft and Windows are trademarks of Microsoft Corporation in the United States and/or other countries. Intel, the Intel logo, Intel Viiv and Intel Viiv logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States or other countries. Other brand and product names are trademarks of registered trademarks of their respective holders. Information is subject to change without notice. All rights reserved.

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding This chapter describes the configuration for the SSL VPN Tunnel Client and for Port Forwarding. When a remote user accesses the SSL VPN

Chapter 1 Introduction This chapter describes some of the key features of the NETGEAR ProSafe SSL VPN Concentrator 25 SSL312. It also includes the minimum prerequisites for installation ( Web Browser Requirements

WebEx Remote Access White Paper The CBORD Group, Inc. Document Revision: 1 Last revised: October 30, 2007 Changes are periodically made to the information contained in this document. While every effort

Chapter 6 Basic Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVG318 wireless VPN firewall. VPN communications paths are called tunnels.

Astaro Security Gateway V8 Remote Access via SSL Configuring ASG and Client 1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If you are not

Collax SSL VPN Howto This howto describes the easy configuration of a Collax server as SSL VPN gateway in order to enable external access to selected applications in the company network. Except for a common

Securing Citrix with SSL VPN Technology An AEP Networks Solution Summary For years, Citrix Systems has dominated the server-based computing market as the solution of choice for application access across

WHITEPAPER IPSEC VPN Vs. SSL VPN Introduction Whether a result of tele-working initiatives, contingencies for events such as 9/11, SARS, and the East Coast Blackout, or just addressing the need to balance

MaaS360 Mobile Enterprise Gateway Administrator Guide Copyright 2014 Fiberlink, an IBM Company. All rights reserved. Information in this document is subject to change without notice. The software described

Network Configuration Settings Many small businesses already have an existing firewall device for their local network when they purchase Microsoft Windows Small Business Server 2003. Often, these devices

SA Series SSL VPN Virtual Appliances Data Sheet Published Date July 2015 Product Overview The world s mobile worker population passed the 1 billion mark in 2010 and will grow to more than 1.3 billion by

Application Note Secure Enterprise Guest Access August 2004 Introduction More and more enterprises recognize the need to provide easy, hassle-free high speed internet access to people visiting their offices,

Proof of Concept Guide Version 4.0 Published: OCT-2013 Updated: 2005-2013 Propalms Ltd. All rights reserved. The information contained in this document represents the current view of Propalms Ltd. on the

Using a Firewall General Configuration Guide Page 1 1 Contents There are no satellite-specific configuration issues that need to be addressed when installing a firewall and so this document looks instead

MOBILITY & INTERCONNECTIVITY Features SECURITY OF INFORMATION TECHNOLOGIES Frequent changes to the structure of enterprise workforces mean that many are moving away from the traditional model of a single

Connecting an Android to a FortiGate with SSL VPN This recipe describes how to provide a group of remote Android users with secure, encrypted access to the network using FortiClient and SSL VPN. You must

VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,

www.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,

6 Working with VPN Service 6 This chapter describes how to set up and manage VPN service in Mac OS X Server. By configuring a Virtual Private Network (VPN) on your server you can give users a more secure

Chapter 5 Configuring the Remote Access Web Portal This chapter explains how to create multiple Web portals for different users and how to customize the appearance of a portal. It describes: Portal Layouts

Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

Web Request Routing and Redirection What s the best option for your web security deployment? Choosing the right method for redirecting traffic to your secure web gateway is absolutely essential to maximize

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS Introduction I m InTouch is a personal remote access application that allows a user to access the data on his or her PC from a remote location,

SSL VPN Server Guide Access Manager 3.2 SP2 June 2013 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A

Chapter 1 Introduction The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable